Thinking of emailing dental patient records? Think again

With HIPAA and the exchange of health information every day, secure email systems are more important than ever for dental practices.

Jan 17th, 2019

The handling and sharing of patient data, and health records specifically, is a critical and sensitive issue that affects millions of dentists and patients every day throughout North America.

The Centers for Disease Control and Prevention (CDC) reports that more than one billion patient visits are recorded each year by doctors’ offices, clinics, and hospitals annually in America. Add in the number of dental visits, and that number skyrockets. Just think about the number of patient records changing hands between caregivers, specialists, care organizations, and their staffs each day in this country.

It’s no small number, to be sure.

In the dental field alone, x-rays, images, billing information, claims data, and treatment information is shared among interested parties. In most cases, communication between providers and dental plans or payers is done using secure portals or other technology services, such as those used for electronic claim attachments. But for patient and provider communications, email is often the only option for practices.

Millions of people have access to email, which is why it’s such a popular medium. It’s ubiquitous to the American communication culture. But emailing sensitive health information is dangerous because it lacks security, regulatory compliance, and is vulnerable to attack.

Security, privacy, and protection

Since email is everywhere and so easy to use, many who use it to send Protected Health Information (PHI) are not concerned about its lack of security. It’s a mode of communication that’s often taken for granted. Like clean air and water, it’s there and ready to be used. Gaps in email security should worry dentists and dental teams anytime they attach patient information to an email and hit “send.” Lack of encryption is the primary problem not only in transit, but at rest. When information lands on the servers of the email providers, it lies vulnerable at all times.

What’s at stake here is simple. Exchanging PHI by unencrypted, unsecure email exposes patients’ personal information to an underworld of hackers looking to exploit the information. This may include the most personal and private information to diagnoses for illnesses. The consequences are enormous, and the results are easy to gain for those who are bent on gaining them.

HIPAA compliance

Beyond the security issue of email is the challenge of regulatory compliance and HIPAA. To be clear, according to cloud security and productivity experts at Protected Trust, “Although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because (i) it is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate, and (ii) if you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable—by simply using encryption.”

Additionally, dentists need to obtain consent from patients before sending them any type of PHI via unsecured email. Doing so without a patient’s consent can constitute a violation of HIPAA.

“Using an encrypted email system is the easiest and most efficient way of responding to patients' requests and complying with the law,” said Dr. Mary Licking, chair of a working group of the Standards Committee on Dental Informatics.

“It's imperative that covered dental practices that choose to use a secure messaging service that meets the HIPAA definition of a business associate or health information exchange obtain from that service provider a business associate agreement that complies with HIPAA requirements before using the service,” Licking continued. “Using an encrypted email system is the easiest and most efficient way of responding to patients' requests and complying with the law.”

HIPAA places responsibility on care providers, both dental and medical, to ensure privacy and security of patient records. Unencrypted emails living on servers or hacked in transit can lead to breaches of records that place dental practices at risk of being fined up to $50,000 for a first offense, or ransomware and other malicious attacks from outsiders.

The numbers don’t lie

Nearly 30 million patient health records were compromised in HIPAA data breaches from 2009 through 2012. Records breached in 2012 showed a 138% increase from the previous year. Data to support such claims is copious, with sites dedicated exclusively to reporting them.

More recently, according to Health and Human Services (HHS) reports, there were 100 email-related breaches between January 2017 and July 2018. One of those was even a dental practice. During this same time period, the average HIPAA violation fine was $1.9 million. The smallest fine assessed was $31,000. While these cases are not limited to email-related breaches, you get the picture. Could your practice afford that kind of financial hit?

The monetary fines are one thing, but they do not factor in the price of bad publicity and the loss of patient confidence when such incidents occur. There’s no doubt, HIPAA and data security are nothing to dismiss lightly.

Encryption is the better way

For these reasons and many others, the dental community must rapidly adopt encryption-based solutions for the electronic and secure transfer of patient information. Email encryption is necessary to ensure patient privacy for your practice while streamlining care collaboration and speeding up response times that benefit patient treatment. Now, in real time, patients and dental professionals can share data and health information instantly from the desk of a user to the desk of the receiver, with secure encryption throughout the entire process. As long as email is the communication vehicle of choice, encryption must be included seamlessly.

With just a simple add-on to your current email solution, you can maintain the convenience of sharing data with colleagues and patients in the same easy-to-use and affordable manner as before. The sharing of electronic patient records and information is necessary in busy practices, and well-known legacy systems such as email can still be a crucial communication tool. Just make sure that you are keeping patient data and your practice safe in the process.

Using encrypted email not only streamlines your practice workflow, it can also empower patients with a greater understanding and improved accessibility throughout the course of their care. With encrypted email, sending treatment plans, billing information, and historical data prior o or after a visit has never been safer or easier.